Example how how to use "Custom User Authorizers" with nifikop

[skpathak2]

Type of question

Implementation Assistance

Support question

Hello I have managed to integrate nifi-cluster (launched by nifikop) with ldap and able to authenticate however now I am facing issue with Authorization please see the error below. It seems like we need to change Changing the value for Initial Admin Identity in your authorizers.xml hence I am trying to use "Custom User Authorizers" with following template which does not work and does not modify the authorizers.xml Following is is for nifi-cluster which has authorizerConfig is nested under cluster. Appreciate your guidance. Thanks Also created a configmap with following attributes

apiVersion: v1
kind: ConfigMap
metadata:
  name: authcm
data:
  # Update Authorizer.xml
  authorizers.xml: |
      {{- $nodeList := .NodeList }}
      {{- $clusterName := .ClusterName }}
      {{- $namespace := .Namespace }}<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <authorizers>
          <userGroupProvider>
              <identifier>file-user-group-provider</identifier>
              <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
              <property name="Users File">../data/users.xml</property>
              <property name="Legacy Authorized Users File"></property>
              <property name="Initial User Identity admin">{{ .ControllerUser }}</property>
      {{- range $i, $host := .NodeList }}
![image](https://user-images.githubusercontent.com/44122113/210875685-f01fc012-f770-4e2b-8c0b-5344aa69078b.png)

              <property name="Initial User Identity {{ $i }}">{{ $host }}</property>
      {{- end }}
          </userGroupProvider>
          <accessPolicyProvider>
              <identifier>file-access-policy-provider</identifier>
              <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
              <property name="User Group Provider">file-user-group-provider</property>
              <property name="Authorizations File">../data/authorizations.xml</property>
              <property name="Initial Admin Identity">cn=nifiadmin,ou=users,dc=example,dc=org</property>
              <property name="Initial Admin Identity">{{ .ControllerUser }}</property>
              <property name="Legacy Authorized Users File"></property>
      {{- range $i, $host := .NodeList }}
              <property name="Node Identity {{ $i }}">{{ $host }}</property>
      {{- end }}
              <property name="Node Group"></property>
          </accessPolicyProvider>
          <authorizer>
              <identifier>managed-authorizer</identifier>
              <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
              <property name="Access Policy Provider">file-access-policy-provider</property>
          </authorizer>
      </authorizers>   
values.yaml
cluster:

  authorizerConfig:
    # An authorizers.xml configuration template that will replace the default template seen in authorizers.go and the replaceTemplateConfigMap
    replaceTemplateConfigMap:
      # The key of the value,in data content, that we want use.
      data: authorizers.xml
      # Name of the configmap that we want to refer.
      name: authcm
      # Namespace where is located the secret that we want to refer.
      namespace: nifi

NiFiKop version

1.0.0

Golang version

No response

Kubernetes version

No response

NiFi version

1.17.0

[mh013370]

I actually think there's a bug here. In the cases where nifikop looks to do the authorizer substitution, the condition is uses to decide to substitute is wrong.

Here, the conditions should be if err != nil instead of if err == nil. As written, the condition is backwards. I will raise a PR.

[narayanbhawar10]

@skpathak2 can you share your nifi cluster yaml if it is not sensitive.